Should companies get cyber insurance?

You don’t need to be told that cybersecurity is still top of mind for most organisations right now. While specific types of attacks are on the decrease, there’s no shortage of horror stories about companies suffering data breaches, and the impact on business can be disastrous.

Just last month, Norwegian aluminium producer, Norsk Hydro, had 22,000 computers taken offline at 170 different sites around the world after a ransomware attack. Although the company decided not to engage with the hackers and their ransom demands, getting operations back online has so far cost Norsk Hydro more than £45 million.

As data becomes increasingly integral to company’s business models and the regulatory fines and repercussions for not protecting that data grow larger, the fallout from a serious data breach could start putting organisations out of business.

Unfortunately, traditional cybersecurity measures are not always fit for purpose against the backdrop of increasingly sophisticated and targeted attacks. Add to that the proliferation of nation state attacks and many companies have been left wondering if a data breach is simply now an inevitability, much like death and taxes.

So, what’s the solution? If your company was robbed of its physical assets, you probably have an insurance policy in place to cover the damage. Could the same be done for your company if you experience a data breach, and can cyber insurance ever really mitigate the damage from an attack on the scale suffered by Norsk Hydro?

Will cyber insurance make your business more secure?

Cyber insurance is not a new concept. It first appeared on the security scene in the 1990’s and has continued to grow in popularity ever since.

However, while a recent Telstra Security report claimed that 36 percent of organisations currently have a cybersecurity insurance policy in place, there’s still a number of questions and ambiguities over what protections companies are offered if they should suffer a cyber attack.

Earlier this year, it was reported that Zurich American Insurance Company refused to pay out on a policy after the US food company Mondelez lost 1,700 servers and 24,000 laptops to the 2017 NotPetya ransomware attack.

Although the company’s policy stated it was covered for "physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction", Zurich refused to pay out, stating that the cyberattack was an “act of war.” Mondelez have now sued for $100 million.

Controversially, the Equifax data breach, which affected more than 147 million people and cost the company $439 million, was partially covered by an insurance payout. Equifax got around $125 million from its insurance company and posted a profit.

“The recent explosive growth of confusing cyber insurance products coming to market means thousands of SMBs are purchasing policies filled with technical contingencies that could — and frequently do — void their claims,” said Michael Mittel, president and general manager of cybersecurity specialist RapidFire Tools.

By purchasing coverage without any real clarity or insight into what is covered by the policy, organisations are rarely sure of the circumstances under which they’ll receive a payout.

Should companies that are hit by a cyber attack realistically expect to receive an insurance payout for lost earnings, for example? Probably not. What about replacing encrypted hardware that can no longer be used? Probably yes. And will insurance companies that refuse to pay out because an attack is an ‘act of war’ have to legally prove its origin? The court case against Zurich will answer that.

Are there better ways to manage risk?

In the days after Norsk Hydro was hit by a ransomware attack, various company spokespeople made public statements claiming the company did have a robust cyber insurance policy in place.

However, chief financial officer Eivind Kallevik told a news conference that the insurance “has a ceiling”, although he declined to specify what that ceiling was, and it’s still far from guaranteed that Norsk Hydro will be able to recoup the cost of the attack.

Calculating risk for organisations across all industry verticals is no easy feat and, with very few willing to publicly declare being a victim of a data breach, insurance companies looking to enter the cyber insurance market are struggling to find data to back up their underwriting decisions.

Furthermore, the purchase of insurance policies usually falls under the CFO’s remit, meaning security professionals within any given company could end up having very little involvement in policy selection. As a result, policies rarely offer organisations the level of coverage they need, leaving further gaps in security strategies that could ultimately leave the policy holders worse off should a data breach occur.

“Businesses still revolve around the five classic asset classes: monetary, physical, relational, organisational and human, which I imagine they will have insurance to protect. And yet they don’t put data into that category," said George Marcotte, managing director at Accenture Digital.

“It’s only the new platform companies that see data as a sixth asset class. Not only will they take steps to insure it, but they also take bigger steps to invest in it. As data becomes more vital to business success, not taking all steps to protect it is like forgetting to insure the crown jewels.”

One positive that has emerged for the recent uptake in cyber insurance is the requirement for companies to undertake a security risk assessment before taking out a policy. Although such tests still vary greatly, having an external party evaluate your security strategy and make sure basic things like patching or encryption are being done can help you to mitigate risk long-term.

While insurance undoubtedly has its place in the cybersecurity landscape, its clear there’s still a lot of work that needs to be done on the part of both insurance companies and policy purchasers before cyber insurance is truly fit for purpose.

The on-going lack of clarity will only serve to hinder trust in insurers and leave companies in the dark as to how much financial damage they have to suffer.

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.